********************
Windows 2000 Magazine Security UPDATE
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter from
the Windows 2000 Magazine Network
http://www.win2000mag.net/Channels/Security
********************
This week's issue sponsored by
McAfee ePolicy Orchestrator
http://www.win2000mag.com/jump.cfm?ID=129
|-+-|-+-|-+-|-+-|-+-|-+-|
April 25, 2001 - In this issue:
1. IN FOCUS
- SMBRelay: Another Good Reason to Protect Your Internal Network
2. SECURITY RISKS
- Implementation Flaw with Microsoft WebDAV
- Denial of Service Condition in Microsoft ISA Server
3. ANNOUNCEMENTS
- New Seminars Series--Don't Be Left Out!
- There Is Such a Thing as a Free Lunch!
4. SECURITY ROUNDUP
- News: Fortress Strengthens Wired Equivalent Privacy
- Feature: Exchange Server Antivirus Scanners
- Review: WinWhatWhere Investigator 3.0
5. NEW AND IMPROVED
- Advanced Security Software for Palm OS
- Personal Firewall Protects PCs Before Windows Launches
- Internet Content Security Solution
6. SECURITY TOOLKIT
- Book Highlight: PKI: Implementing and Managing E-security
- Virus Alert: W32/Matcher
- FAQ: I've Upgraded to Windows 2000 Server with Service Pack 1
(SP1) Slipstreamed. Why Doesn't the Registry Show that SP1 Is
Installed?
- SOHO Security: Using PGP to Secure Your Email
- New Poll: Which Administrative Scripting Language Do You Use Most
Often?
7. HOT THREADS
- Windows 2000 Magazine Online Forums
Problem Sending Mail from MS-Outlook Express (Client Side)
- HowTo Mailing List
Preventing Exchange 5.5 Server from Being Used to Relay Spam
Reduce Domain Administrators
8. CONTACT US
See this section for a list of ways to contact us.
~~~~ SPONSOR: MCAFEE EPOLICY ORCHESTRATOR ~~~~
Managing anti-virus protection through policy can save any business
money. A policy gives you a framework that allows you to more
effectively update your protection - critical in the fight against
viruses. Up-to-date protection prevents infections. And fewer infections
means less downtime and less time spent cleaning up. A policy also gives
you a benchmark against which to measure performance - in terms of both
protection and infection rates. By establishing and enforcing an
anti-virus policy, you save money where it counts the most: in the
ongoing management of anti-virus protection. ePolicy Orchestrator is the
best anti-virus management tool in independent tests.
http://www.win2000mag.com/jump.cfm?ID=129
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Security UPDATE?
Email emedia_opps@win2000mag.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. ========== IN FOCUS ==========
Hello everyone,
Last week, I discussed 3COM's new Embedded Firewall and the need to
protect your internal networks. Shortly after I wrote that column, I
came across some interesting news: A new program--SMBRelay--is available
that can hijack a user's session to perform a man-in-the-middle attack.
SMBRelay represents another good reason to protect your internal
networks.
SMBRelay's author is Sir Dystic, a member of Cult of the Dead Cow (cDc).
You'll recall that cDc also published Back Orifice and BO2K, remote
control tools for Windows systems. SMBRelay sits on a Windows system
waiting for a user to connect. When the user connects, the relay passes
authentication traffic to its destination in a proxy-like fashion. After
the system authenticates the session, the relay then disconnects the
user's system and assumes control of the session. An intruder can use
the relay system to access network resources under the same authority as
the user whose session was hijacked. You can learn more about the
program at the URL below.
http://pr0n.newhackcity.net/~sd/smbrelay.html
SMBRelay relies on the fact that many networks use the older NT LAN
Manager (NTLM) authentication instead of the newer NTLMv2. The release
of the L0phtcrack ( http://www.securitysoftwaretech.com/lc3 )
password-cracking software showed security vulnerabilities in NTLM, so
Microsoft released NTLMv2 when it published Windows NT 4.0 Service Pack
4 (SP4). To learn about NTLMv2, see Randy Franklin Smith's article,
"Inside SP4 NTLMv2 Security Enhancements," at the following URL.
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=7072
In addition, Microsoft has several articles online that discuss NTLMv2,
including "How to Disable LM Authentication on Windows NT," and "How to
Enable NTLM 2 Authentication for Windows 95/98/2000 and NT." You can add
NTLMv2 support to Windows 9x by installing the Directory Services Client
from the Windows 2000 CD-ROM as discussed in the second article. The
articles are located at the URLs below.
http://support.microsoft.com/support/kb/articles/Q147/7/06.asp
http://support.microsoft.com/support/kb/articles/Q239/8/69.asp
NTLMv2 strengthens NTLM-based authentication, but it doesn't eliminate
all risk. For example, NTLMv2 stops SMBRelay from hijacking user
sessions, but the program might not stop future Server Message Block
(SMB) relays. To better protect against man-in-the-middle attacks, you
might want to integrate firewalls at the desktop and server level to
guard against rogue client connections. Also consider VPN technology to
protect user sessions and session traffic. Implementing a VPN can be
tedious--but probably far less tedious than cleaning up after an
intruder.
Until next time, have a great week.
Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net
2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)
* IMPLEMENTATION FLAW WITH MICROSOFT WEBDAV
Microsoft reported a flaw in its WWW Distributed Authoring and
Versioning (WebDAV) implementation that runs a script under the user's
security context. WebDAV should distinguish between a user's request and
the script that a Web browser runs, but Microsoft WebDAV doesn't
differentiate the two. An attacker can use this flaw to browse the
user's intranet or access Web-based email if the attacker knows certain
variables, such as server names, folder structures, and specific user
and network information. Microsoft has issued security bulletin MS01-022
to address this vulnerability and has also released a hotfix that
changes the WebDAV implementation to correctly process these scripts.
http://www.windowsitsecurity.com/articles/index.cfm?articleID=20749
* DENIAL OF SERVICE CONDITION IN MICROSOFT ISA SERVER
SecureXpert Labs discovered that when you use Microsoft Internet
Security and Acceleration (ISA) Server 2000 Web Publishing to bridge
HTTP traffic to a Web server, a malicious attacker can use an invalid
Web request containing a certain malformed argument to cause an access
violation in the Web proxy service, denying service for legitimate
traffic. Microsoft disables this service by default. Microsoft has
issued security bulletin MS01-021 to address this vulnerability and has
also issued a hotfix that enables ISA Server 2000's Web proxy service to
correctly treat this request as invalid.
http://www.windowsitsecurity.com/articles/index.cfm?articleID=20689
3. ========= ANNOUNCEMENTS ==========
* NEW SEMINARS SERIES--DON'T BE LEFT OUT!
Check out our new 1- and 2-day seminars sponsored by Aelita Software.
Hear from industry experts Mark Minasi, Kalen Delaney, and Steve Milroy,
and polish your IT skills in informative sessions about Windows 2000
Server, SQL Server, and mobile and wireless connectivity. Seminars will
be held in Los Angeles, Boston, and San Francisco in May and June. Sign
up today!
http://www.win2000mag.net/seminars
* THERE IS SUCH A THING AS A FREE LUNCH!
Do you subscribe to Windows 2000 Magazine? Plan to attend N+I in Las
Vegas this May? We're seeking readers for a focus group at N+I.
Participants get $100 and a free lunch. If you're interested, email
kcollins@win2000mag.com. Include your name, job title, and phone
number.
4. ========== SECURITY ROUNDUP ==========
* NEWS: FORTRESS STRENGTHENS WIRED EQUIVALENT PRIVACY
To strengthen known weaknesses in the Wired Equivalent Privacy (WEP)
protocol used in the 802.11b wireless network standard, Fortress
Technologies has released a new Layer 2 protocol called Wireless Link
Layer Security (wLLS). The new protocol provides secure frame and packet
transmissions by automating crucial security operations, including
encryption, authentication, data integrity-checking, key exchange, and
data compression. Fortress based wLLS on techniques the company uses in
its patented Secure Packet Shield (SPS) technology.
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20706
* FEATURE: EXCHANGE SERVER ANTIVIRUS SCANNERS
In the past, maintaining a regular virus-scanning regimen on your
network was sufficient to prevent, or at least contain, viruses because
viruses typically spread through disks. Today, however, email is the
primary communication tool in many work environments. Users create,
send, and receive countless email messages and attached files every day.
Because most viruses now spread through email, ensuring that your
networks remain virus-free is difficult. What is an overworked network
administrator to do? One solution is to install a server-side virus
scanner. Read all about it in Jonathan Chau's latest article on our Web
site.
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20394
* REVIEW: WINWHATWHERE INVESTIGATOR 3.0
Rodney Landrum admits he's looked through Web logs to see which users on
his company's network visit illicit Web sites and which spend hours
surfing instead of working. As a network administrator, Rodney has also
used data-packet-capture tools for troubleshooting. However, some
administrators might find more detailed user-activity reports desirable,
especially if they suspect illegal conduct on the business's computer
systems. WinWhatWhere's WinWhatWhere Investigator 3.0 is more than a Web
log. The product captures data from Windows 2000, Windows NT, Windows
Me, and Windows 9x machines. Learn all about the application in Rodney's
latest review on our Web site.
http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20390
5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)
* ADVANCED SECURITY SOFTWARE FOR PALM OS
Asynchrony released PDABomb, a security application that locks Palm
OS-based handheld devices and provides powerful, customizable, and
flexible encryption of personal data. The application disables data
transfer mechanisms such as HotSync and IrDa so that no one can retrieve
information without the correct password. After a certain number of
incorrect password attempts, the user can opt to set off the "bomb,"
which erases all data and applications from the device. The user can
then restore the data by syncing the device with a backup maintained on
the user's computer. Go to http://www.pdabomb.com for more information
about PDABomb.
http://www.asynchrony.com
* PERSONAL FIREWALL PROTECTS PCS BEFORE WINDOWS LAUNCHES
Tiny Software announced Tiny Personal Firewall, a personal firewall
positioned between the network interface adapter and the OS so that the
PC is protected in the initial seconds of booting. This setup eliminates
the possibility of hackers intruding with Trojan horses during this
crucial and vulnerable stage. Tiny Personal Firewall offers many
firewall features and is compatible with Windows 2000, Windows NT,
Windows Me, and Windows 9x. The application is free for personal use,
and pricing starts at $39 for business use. Bulk license rates are also
available. For more information, go to the Tiny Software Web site.
http://www.tinysoftware.com
* INTERNET CONTENT SECURITY SOLUTION
Aladdin Knowledge Systems released eSafe Gateway 3.01, an Internet
content security solution that provides simple installation and fast
content inspection using new NitroInspection Plug & Play (PnP)
technology. IT managers plug eSafe Gateway 3.01 behind the firewall
using a crossed network cable, and installation is complete. eSafe
Gateway 3.01 provides immediate content inspection and verifies
on-the-fly the content-type of the data transferred via HTTP. The
application pushes through the graphics/audio/video content that doesn't
contain malicious code, while inspecting other potentially malicious
content such as HTML, ActiveX, Java, viruses, and vandals. For more
information, go to the Aladdin Web site.
http://www.ealaddin.com
6. ========== SECURITY TOOLKIT ==========
* BOOK HIGHLIGHT: PKI: IMPLEMENTING AND MANAGING E-SECURITY
By Andrew Nash, Bill Duane, and Derek Brink
Fatbrain Online Price: $49.99
Softcover; 513 pages
Published by McGraw-Hill Professional Book Group, May 2001
ISBN 0072131233
Have you installed adequate security to protect your network from
hackers? Written by RSA Security experts, "PKI: Implementing and
Managing E-security" provides you with the tools to prevent access to
your data and to secure any electronic transactions. This book explores
public key infrastructure (PKI) basics, PKIX model, X509, trust models,
privilege management, and biometrics.
For more information or to purchase this book, go to the Windows 2000
Magazine Bookstore and click UPDATE Highlights under Highlighted Titles.
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772
Or go to
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0072131233
and enter WIN2000MAG as the discount code when you order the book.
* VIRUS ALERT: W32/MATCHER
Panda Software and the Windows 2000 Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
http://www.windowsitsecurity.com/panda
W32/Matcher
W32/Matcher is a worm designed to propagate through email. The worm is
written in Visual Basic (VB) and is 28KB. W32/Matcher requires the
Msvbvm60.dll Visual Basic Dynamic Library to work properly. The worm
reaches systems in the form of an email message with a subject of
"Matcher" and a message body that reads, "Want to find your love
mates!!! Try this its cool... Looks and Attitude matching to opposite
sex." The worm carries a file attachment called Matcher.exe that infects
the user's system. To learn all about Matcher, be sure to visit our
Center for Virus Control.
http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=1084
* FAQ: I'VE UPGRADED TO WINDOWS 2000 SERVER WITH SERVICE PACK 1 (SP1)
SLIPSTREAMED. WHY DOESN'T THE REGISTRY SHOW THAT SP1 IS INSTALLED?
( contributed by John Savill, http://www.windows2000faq.com )
Slipstreaming, which lets you integrate a service pack's content into a
setup area for the OS, is a great addition to Win2K. However, a known
problem exists: The system doesn't update the registry key that
indicates that SP1 is installed. This is a minor issue, and you can
resolve it by performing the following steps:
1. Start regedit.exe.
2. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion.
3. From the Edit menu, select New, String value.
4. Enter a name of CSDVersion, and click Enter.
5. Double-click the value and set it to Service Pack 1. Click OK.
6. Close regedit.
You can also download and run the servicepack1.reg script, located on
our Window NT/2000 FAQ site.
http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=20686
* SOHO SECURITY: USING PGP TO SECURE YOUR SOHO EMAIL
Small office/home office (SOHO) users often need to send and receive
private email. Although SOHOs don't have the resources that are
available to larger organizations to maintain email security and
integrity, SOHOs still might need to use cryptography for protection.
Learn how to use Pretty Good Privacy (PGP) to keep your email
communication more secure in Jonathan Hassel's latest article on our Web
site.
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=20696
* NEW POLL: WHICH ADMINISTRATIVE SCRIPTING LANGUAGE DO YOU USE MOST
OFTEN?
Which scripting language do you use most often to perform administrative
tasks? Visit our Web site and take our latest poll. We'll use your
answers to learn which types of scripting languages we should cover in
detail in our publications.
http://www.windowsitsecurity.com
7. ========== HOT THREADS ==========
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums.
http://www.win2000mag.net/forums
April 07, 2001, 07:29 A.M.
Problem Sending Mail from MS-Outlook Express (Client Side)
(Five messages in this thread)
I have MS-Proxy Server 2.0 on my Windows NT 4.0 (SP4) machine. I am
using Windows 98 and Windows 95 on the client side. I am using
MS-Outlook Express 5.0 on the client machine. I can receive email, but I
cannot send mail with Outlook Express. An error generates...
"The message could not be sent because one of the recipients was
rejected by the server. The rejected e-mail address was
'aamir_riaz999@yahoo.com'. Subject 'Test Mail', Account: 'Aamir',
Server: 'fsg6.fascom.com', Protocol: SMTP, Server Response: '550 not
local host yahoo.com, not a gateway', Port: 25, Secure(SSL): No, Server
Error: 550, Error Number: 0x800CCC79"
I am using MS-Proxy Client on the client machine. If you know how to
handle this problem, please reply as soon as possible.
Thread continues at
http://www.win2000mag.net/Forums/Application/Thread.cfm?CFApp=64&Thread_ID=63879&mc=5
* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week.
1. Preventing Exchange 5.5 Server from Being Used to Relay Spam
(Four messages in this thread)
My service provider has informed me that they suspect someone is using
my company's Exchange server to relay SPAM. But other than that they
offered me no advice as to how to prevent this or even how to track it.
I have routing turned on in the IMS because I need to support a number
of Sales People who are on the road, and I am providing OWA as well. The
mail server itself is sitting behind a firewall, but since it needs to
have ports open for sending and receiving SMTP, POP3, and IMAP traffic,
I'm not sure how much protection it has from intruders. Does anyone have
any advice on what I can do to prevent non-company personnel from using
the Exchange server and still support POP3 for my remote users?
http://63.88.172.96/go/page_listserv.asp?A2=IND0104C&L=HOWTO&P=919
2. Reduce Domain Administrators
(Two messages in this thread)
Our security department is tasked with resolving a common problem in
many large organizations--how to reduce the number of Domain Admin
accounts in a cost-effective way. We need a tool or solution that
enables us to delegate user rights with a moderate-to-high level of
granularity. We've looked at software solutions ranging from
UsermanagemeNT to Aelita Enterprise Delegation Manager. None strike an
acceptable balance between granularity of control and pricing. Can
anyone offer a "How to" or mention how their organization reduced their
number of Domain Administrator accounts?
http://63.88.172.96/go/page_listserv.asp?A2=IND0104C&L=HOWTO&P=296
Follow this link to read all threads for April, Week 3:
http://63.88.172.96/go/page_listserv.asp?A1=ind0104C&L=howto
8. ============ CONTACT US ============
Here's how to reach us with your comments and questions.
* COMMENTS ABOUT THE COMMENTARY?
Email Mark Joseph Edwards at mark@ntsecurity.net
* COMMENTS ABOUT THE NEWSLETTER IN GENERAL?
Email Managing Editor Trish Faubion at tfaubion@win2000mag.com. Please
mention the name of the newsletter in the subject line or body.
* TECHNICAL QUESTIONS?
Please post your technical questions to the discussion area.
http://www.win2000mag.net/forums
* PRODUCT NEWS?
Email press releases to products@win2000mag.com.
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION?
Email Customer Support at securityupdate@win2000mag.com.
* WANT TO SPONSOR SECURITY UPDATE?
Email emedia_opps@win2000mag.com
********************
This Security UPDATE is brought to you by Windows 2000 Magazine, the
leading publication for Windows 2000/NT professionals who want to learn
more and perform better. Subscribe today.
http://www.win2000mag.com/sub.cfm?code=00inxupb
|-+-|-+-|-+-|-+-|-+-|-+-|
Windows 2000 Magazine Security UPDATE Staff
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved - Judy Drennen (products@win2000mag.com)
Copy Editor - Judy Drennen (jdrennen@win2000mag.com)
|-+-|-+-|-+-|-+-|-+-|-+-|
========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT
topics of your choice, including Win2K Pro, Exchange Server, training
and certification, SQL Server, IIS administration, .NET development,
application service provision, .NET, wireless and mobile devices, and
more. Visit our Web site to subscribe to our other FREE email
newsletters.
http://www.win2000mag.com/sub.cfm?code=up00inxwnf
|-+-|-+-|-+-|-+-|-+-|-+-|-
Thank you for reading Security UPDATE.
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Thu Apr 26 04:18 CDT 2001